Validating Symbo Webhooks

How It Works

When you add a webhook in Symbo, you will receive a webhook_secret. Each request from Symbo will include a signature in the X-Hmac-Signature header. Your application must compute a hash using your webhook_secret and compare it to the signature provided in the request header.

Validation Steps

Follow these steps to validate Symbo webhook requests:

Retrieve the Signature: Extract the X-Hmac-Signature header from the incoming request.
Extract the Request Body: Convert the body of the request into a string (exactly as received).
Compute the HMAC Hash: Use your webhook_secret and the SHA-256 algorithm to compute the HMAC hash of the request body.
Compare Hashes: Check if the computed hash matches the X-Hmac-Signature header.

Example Code (Node.js)

const crypto = require("crypto");

const signature = ""; // Signature from X-Hmac-Signature header
const requestBodyString = ""; // Stringified body from Symbo request
const secret = "abcdefg"; // Your webhook_secret

const hash = crypto.createHmac("sha256", secret)
  .update(requestBodyString)
  .digest("hex");

if (hash === signature) {
  console.log("Request verified!");
} else {
  console.log("Invalid signature!");
}

Security Considerations

Use HTTPS: Always receive webhooks over HTTPS to ensure data integrity and security.
Replay Protection: Implement timestamp validation to mitigate replay attacks.
Logging: Log validation failures for debugging but avoid storing webhook secrets in logs.

By following these steps, you can confidently verify Symbo webhook requests and secure your integration.

Help center

Validating Symbo Webhooks

Symbo uses HMAC Validation to authenticate webhook requests made to your application. This ensures that the request originates from Symbo and has not been tampered with.

How It Works

Validation Steps

Example Code (Node.js)

Security Considerations